cyber decoder - JLT Specialty

CYBER DECODER FINANCIAL LINES GROUP NEWSLETTER ISSUE 12

MORRISONS DATA BREACH

US DATA TRANSFERS

Page 3

Page 4

UK MINISTRY OF DEFENCE TACKLES CYBER THREAT

ALSO IN THIS ISSUE Cyber insurance market

5

The dark web 7 Cyber threat intelligence

8

Top tweets

9

Page 6

Keeping your counsel The “Panama Papers” have already claimed the job of the Icelandic Prime Minister and prompted uncomfortable questions for the UK’s David Cameron. But it should have a much wider impact. Others named in the documents from law firm Mossack Fonseca include high profile clients around the world. Overall, 140 politicians and public officials are named, as well as more than 214,000 organisations, according to the International Consortium of Investigative Journalists. In early April, the UK’s

As the firm’s founding partner Ramon

“As the firm’s founding partner Ramon Fonseca has told reporters: “We rule out an inside job. This is not a leak. This is a hack.”

Fonseca has told reporters: “We rule out an inside job. This is not a leak. This is a hack.”

POOR PRACTICE The firm is said to be investigating its own theory as to how its email server

financial regulator, the FCA, gave big banks and financial institutions a week

It is the scandal du jour, and, with 11

to check if they have links to Mossack

million documents taken, it is being

Fonseca – “a massive process,”

described as the biggest document leak

according to one banker quoted by the

ever. It is one of the highest profile and

Financial Times.

most significant data breaches of recent times.

came to be compromised. Some IT experts have their own theory already, however: They put it down to an “astonishing” disregard for data security. The firm’s IT security faults identified include basic failures to update software,

2 FINANCIAL LINES GROUP | CYBER DECODER | Issue 12

 Continued from page 1 poor configuration of the server and website, and a failure to encrypt email. “Given the business they’re in, I find it quite surprising that they haven’t thought about securing their emails better,” one told WIRED. Another article sums it up: “Moneyshuttling firm lost 2.6 TB of data and

Cyber Security Strategy in 2011, and the

reminder that you don’t need to be an

Law Society has warned members they

online retailer, technology firm or even

represent “particularly attractive sources

high profile to be a top target for hackers.

of information.”

It’s also a reminder that, as long as you

Moreover, just before the Panama papers came to light, the Wall Street Journal reported hackers had broken into a number of major law firms in the US,

Unfortunately, though, neither the lack

market in the past 18 months – much of

of security nor the targeting of the firm is

it by cyber criminals.

around £85 million stolen across the legal

It is also well recognised firms need to

A WIDER PROBLEM

do more in this area, and the Panama

The importance of confidentiality to

to double their efforts. They will also

legal firms and the risk the face are well

add to pressure on firms to look at their

recognised.

insurance cover, as many in the US are

as a focus in the UK government’s

not just your own security you have to worry about. 

it’s not just data breaches: In the UK, insurer QBE says its latest data shows

Lawyers were among those included

other provider who needs your data, it’s

with as many as 48 firms targeted. And

didn’t even notice.”

really so surprising.

engage professional service firms or any

Papers are likely to renew calls for firms

already doing. More widely, the incident serves as a

“The incident serves as a reminder that you don’t need to be an online retailer, technology firm or even high profile to be a top target for hackers.”

www.jltspecialty.com | CYBER DECODER 3

Class actions for data breaches come to the UK Almost 6,000 current and former staff are suing supermarket Morrisons over its 2014 data breach in what lawyers say is a first for the UK. The case relates to a data breach that

to be the first GLO approved for a data

saw details of almost 100,000 staff

breach case, potentially opening the

sent to newspapers and websites by a

way for more US-style class actions for

disgruntled employee. The data included

data breaches.

salaries, national insurance numbers, birth dates and bank account details.

The costs of these could easily dwarf the current £500,000 maximum fine the

Lawyers representing the staff argue

UK’s Information Commissioner’s Office

the retailer “could and should” have

is able to impose. In the US, for example,

done more to prevent the details being

just two days before the GLO deadline in

stolen, and in November of 2015, the

April, a federal judge approved an USD

High Court approved a Group Litigation

8 million settlement of a class action

Order (GLO). This allowed employees

brought by former employees against

to join pending legal action against the

Sony Pictures, after their personal

supermarket. By the April 8 deadline, the

information was stolen in 2014.

number who had was 5,954. A hearing to determine when a trial would take place is scheduled for May 2016.

According to lawyers, the key issue in the Morrisons case is likely to be whether the claimants have to prove they suffered

Morrisons has long denied any liability

financial loss (which the supermarket

for the “actions of a rogue individual”,

denies). If not, the case could open the

but, whatever the outcome, the case is

way for more claims in future. 

a significant development: It is believed

“The case relates to a data breach that saw details of almost 100,000 staff sent to newspapers and websites by a disgruntled employee.”


Still no certainty for US data transfers Privacy Shield, the intended replacement for Safe Harbour after it was overturned by the European Court of Justice, has been roundly criticised by the German Association for Data Protection (DVD). In a press release (in German) the

are essentially no different from the

company to endorse Privacy Shield.

Association has said it was “shocked” by

Shield now planned.”

However, others warn it faces significant

the proposals it’s seen so far.

Importantly, DVD representatives form

According to DVD, there is no clear

part of the Article 29 Working Party,

indication how the new agreement

which will evaluate whether the new

would protect EU citizens from mass

agreement passes muster. According to

surveillance by security agencies such as

reports, leaks of its assessment suggest

the NSA, nor ensure their privacy against

a similar conclusion.

US companies. DVD board member Thilo Weichert said: “The substantive provisions of the repealed Safe Harbor

Not everyone is sceptical. In April, Microsoft became the first big US

hurdles before it can be ratified. Even if it is passed, an inadequate agreement could be challenged when the EU General Data Protection Regulation becomes law in 2018. This all leaves US firms and EU companies transferring data to them little better off than they were before the agreement in February. Many will be left looking again at their insurance coverage for any potential of violations of privacy regulations. Many others need to clarify where their data is stored in the first place: A recent survey shows four in ten organisations don’t know. With uncertainty on the legal status of transfers outside the EU, such complacency is unlikely to prove sustainable. 


Not just a means to an end The cyber insurance market is in its infancy but has “vast potential,” according to a congressional committee. The comments came during a hearing

“leading companies that have the most

of a Homeland Security Committee

to lose,” and efforts were needed to

subcommittee looking at the role of

expand policies and coverage for smaller

cyber insurance in risk management. As

businesses. Despite a much larger

subcommittee chairman John Ratcliffe

market, it is interesting to note that many

said in his opening statement, cyber

of the challenges the US faces are the

insurance has potential to improve

same as in Europe.

businesses’ resiliency and develop more effective risk management strategies.

That’s true, too, of the barriers to expanding capacity and coverage. The

“The very process of considering,

subcommittee heard that a key challenge

applying for, and maintaining cyber

was the difficulty in quantifying the risk:

insurance requires entities to assess the

“Cybersecurity risk remains difficult for

security of their systems and examine

insurance underwriters to quantify due

their own weaknesses and vulnerabilities.

in large part to a lack of actuarial data,”

This process is constructive, not only for

noted one witness.

obtaining a fairly priced policy, but also as a means of improving the company’s security in the process,” he said.

There were suggestions in the hearing that the government could also play a role in encouraging organisations to

The result could be “a safer Internet for

share information – perhaps helping

all Americans.”

establish a repository of cyber incident

Market penetration, though, remained inadequate in the US, he said. Those acquiring cyber insurance were largely

data. This could be valuable, provided it was voluntary, but, as we’ve noted before, efforts to improve cyber risks data have already begun. Across the

“The very process of considering, applying for, and maintaining cyber insurance requires entities to assess the security of their systems and examine their own weaknesses and vulnerabilities.” Atlantic, for example, January saw Lloyd’s of London and others agree to standardise the way cyber exposure data is collected. The hearings made clear once again that, as such initiatives bear fruit, the range of coverages and the number of businesses taking them is bound to expand. If the sub committee is to be believed, that would be good news for everyone. 


UK ministry of defence tackles cyber threats The UK Ministry of Defence has announced a new £40 million Cyber Security Operations Centre (CSOC) to tackle cyber threats. The new centre will be equipped

President Petr Poroshenkowill approve a

with “state-of-the-art defensive cyber

new draft cyber-security strategy for the

capabilities to protect the MOD’s

country, following the recent attacks on

cyberspace from malicious actors”,

its power grid.

according to the MoD. It forms part of £1.9 billion investment over the next five years earmarked by the country’s strategic defence and security review to protect the UK from cyber attacks.

The stories are all different but the message is the same: whether your business considers risks such as cyber terrorism and cyber warfare real or otherwise, those in power are taking

It also follows hard on reports that

them seriously. And they evidently

American and British Trident nuclear

think it’s worth investing to mitigate

missiles are to be upgraded to protect

against them. 

them against cyber risks; and that the two countries are to stage a joint operation later this year simulating a cyber attack on a nuclear power plant. As a US Navy spokesperson told reporters: “In our modern era, cybersecurity threats are a legitimate concern.” Nor are the US and UK alone in that view. The same week saw Ukrainian

£40m A new £40 million Cyber Security Operations Centre (CSOC) to tackle cyber threats

“American and British Trident nuclear missiles are to be upgraded to protect them against cyber risks.”


BUZZWORD OF THE MONTH THE DARK WEB What is it? That is a good question, apparently: a recent survey showed that 71% want to see the dark net shut down, and, one commentator notes, that finding suggests that most don’t know what it is. “Shutting down the dark net would require finding and shutting down some 7,000 secret Tor nodes worldwide… And that’s just Tor; you’d also need to shut down other dark net access avenues like I2P or Freenet, then magically ban any new technologies from being developed,” he writes.

accessed using the Tor browser were

“Shutting down the dark net would require finding and shutting down some 7,000 secret Tor nodes worldwide…” which commissioned the research, acknowledges. It is simply formed of networks using the technology of the public internet we all know, but requiring special software, configurations or authorization for access. While it might have become heavily associated with criminal users, it is also “a safe haven for

actually engaged in activities illegal under US or UK law.

Why should you care? Because the dark web is, nevertheless, heavily associated with criminal activity. Like Bitcoin, the privacy and anonymity the technology provides makes it attractive to criminals as well as legitimate users. From botnets for denial of service attacks and software for hacking, to markets for credit card details and personal data, the dark web provides a one-stop-shop for both the tools and stolen goods of cyber crime. And the costs are coming down.

Shutting the dark web down is little more

whistleblowers, journalists, dissidents,

Put simply, if you’re not interested in the

feasible than turning off the internet.

political victims, asylum seekers and

dark web, it’s still interested in you. And,

privacy lovers,” as the think tank puts it.

whatever your views on it, it’s not going

Moreover, the dark web is not intrinsically bad, as the Center for

In fact, one recent analysis of the dark

International Governance Innovation,

web found that less than half of the sites

away any time soon. 

71% A recent survey showed that 71% want to see the dark net shut down


“Both the likelihood of a data breach and the potential consequences are central to determining the risk. And both are evolving with particular speed at the moment.”

Cyber threat intelligence Brought to you in partnership with CSC

COMING TOGETHER TO MAGNIFY THE RISK Those working to protect data have

the US position in requiring businesses

and track the iPhone of a US senator

to notify individuals of any data breaches

cooperating with the programme.

affecting their personal information.

April 14 Trend Micro warns Microsoft

always faced twin challenges: regulatory

Whatever the difficulties, the current

Windows users that Apple has stopped

pressure and developing threats.

debate over the EU-US Privacy Shield

updates for its Quicktime software. As a

Both the likelihood of a data breach

also shows the two markets working

result, it identified two vulnerabilities that

and the potential consequences are

towards an increasingly harmonised

could be used to compromise Windows

central to determining the risk. And

approach. Here, though, if anything, the

computers remotely. Windows users

both are evolving with particular speed

pressure is for US businesses to more

should therefore uninstall the software

at the moment.

closely meet higher data protection

immediately.

On the one hand, both threats and the vulnerabilities they exploit continue to

standards (as opposed to penalties) in the EU.

April 12 Microsoft has released a patch for a crucial security bug in Windows

emerge with worrying speed. Last year,

The standards expected of business, the

and Samba, a software component

a new Zero-Day vulnerability (a previously

potential penalties for getting it wrong,

used to manage file and print services

unknown security hole in software)

and the dangers of doing so, therefore,

across multiple operating systems and

was identified each week, according to

are all in flux. In each case, though, they

networks. According to a website on the

Symantec’s recent Threat Report. That’s

are all only heading in one direction.

Badlock bug, exploitations of the Samba vulnerabilities should be expected to be

more than double the previous year.

seen soon.

Data Protection Regulation finally

RECENT VULNERABILITIES AND THREATS

passed, after four years of debate. This

April 17 US TV show 60 Minutes has

advisory for its Flash Player 21.0.0.197

will radically increase potential penalties

demonstrated how the global mobile

and earlier versions. It identifies a

for breaches of data protection law in

network Signalling System Seven (SS7)

vulnerability attackers may be able to

Europe – up to 4% of a company’s

can be hacked to spy on mobile phone

leverage to remotely crash and take

total global annual turnover. When

users. On the show security experts used

control of an affected system. The

implemented in two years, it will also

the vulnerability to intercept and record

company has released an update

bring EU member states into line with

calls, view contact details, read texts

users should download. 

On the other, April saw the EU’s General

April 4 Adobe has released a security

JLT Specialty Limited provides insurance broking, risk management and claims consulting services to large and international companies. Our success comes from focusing on sectors where we know we can make the greatest difference – using insight, intelligence and imagination to provide expert advice and robust – often unique – solutions. We build partner teams to work side-byside with you, our network and the market to deliver responses which are carefully considered from all angles.


TOP TWEETS

Our Cyber, Technology, and Media Errors & Omissions team delivers bespoke risk management and insurance solutions to meet the needs of clients from a variety of industries. The team combines experience and talent with a track record of delivering successful results and tangible value for our clients.

The latest from JLT on terrorism, including our view on cyber terrorism

50 million exposed in Turkey data breach

CONTACTS Sarah Stephens Head of Cyber, Technology and Media E&O JLT Specialty +44 (0) 20 7558 3548 [email protected] Lauren Cisco Partner, JLT Specialty +44 (0) 20 7558 3519 [email protected]

5 things to look out for in a cloud service provider

Time to face up to cyber risks

Jack Lyons Partner, JLT Specialty +44 (0) 20 7528 4114 [email protected]

This newsletter is published for the benefit of clients and prospective clients of JLT Specialty Limited. It is intended only to highlight general issues relating to the subject matter which may be of interest and does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. If you intend to take any action or make any decision on the basis of the content of this newsletter, you should first seek specific professional advice. JLT Specialty Limited The St Botolph Building 138 Houndsditch London EC3A 7AW www.jltspecialty.com Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW. Registered in England No. 01536540. VAT No. 244 2321 96. © May 2016 271868

Top 3 blind spots In your cyber insurance coverage

IDC: Cyber insurance will be commonplace in the future